Poweliks the undetectable malware analyzed by G Data

Posted on August 25th, 2014

Poweliks is not like other malware. Indeed, it is a malicious program that likes to get around all antivirus without difficulty. To achieve that, it is installed directly on the hard drive of Windows without using a prior installation, leaving no trace of installed file. How to protect themselves against Poweliks while a powerful antivirus surrendered from the start? G Data experts have studied the issue and reveal their analysis on this threat.

A unique attack strategy of its kind

When the term ‘malicious program’ is evoked, it is generally thought to unknown files stored on the computer system, attempting to damage or steal personal information. Detectable, they can be easily treated by conventional antivirus. However, the malware Poweliks is not like the others … Its inventors have developed a rare and highly encrypted code that is able to nest on the hard drive without ever being detected.

For this, they have developed an attack system in stages:

  1. The introduction of Poweliks the computer is done through a vulnerability in Microsoft Word.
  2. To go unnoticed, it creates a startup registry key coded allowing it to resist all restarts.
  3. This key has two codes: one that automatically installs Windows PowerShell script and PowerShellx64, running the shellcode.
  4. This shellcode is running a Windows binary program that connects to IP addresses coded to communicate with a server and receive commands.

Stored on the hard drive and completely encrypted, Poweliks is able to bypass all antivirus analysis and therefore achieve its goals without the user noticing. To avoid such situations, it is possible to neutralize the Word document before this process is initiated or detect any unusual behavior to block malware. Analysis of G Data, below, will help all users to sniff out his trail.

Experts at G Data SecurityLabs analyzed Poweliks to discover the mechanism used by cyber attackers. They detailed what happens during the four stages of the process:

Step 1: The entry point

Poweliks operates via Microsoft Word vulnerability described in CVE-2012-0158. The first unusual behavior were detected in false attachments sent by Canada Post or UPS – they claimed to contain order forms.

Step 2: The key to go unnoticed

To resist each system restart, a registry key is created.

Step 3: A Russian dolls process

A security researcher has found a way to decode this kind of key. His laboratory has identified two separate codes: the script that automatically installs Windows PowerShell and another the PowerShellx64, running the shellcode. Normally, Windows prevents the execution of PowerShell scripts and displays an error message, but the creators of Poweliks managed to work around this limitation by setting an execution file interactively.

Once Windows PowerShell installed, PowerShellx64 automatically starts the execution of the shellcode. Indeed, thanks to the $p variable, it can use VirtualProtect () to make the file executable and CallWindowProcA () to run it.

Step 4: Attack via a Windows binary program

Once executed, the shellcode can allocate computer memory using VirtualAlloc (), copy data and hers to offset 0x1104 and run the copied code.

The Windows binary program is identified by the characters ‘MZ’ and channels MPRESS1 and MPRESS2. Representing the malware, they can connect to two IP addresses, located in Kazakhstan in order to receive commands.

At present, these addresses are offline which prevents to know the real motivation of cyber attackers. Therefore, it is not to miss any event of attack such as installing spyware to steal information, the installation of banking Trojans to steal money or the introduction of click fraud.

Related products:

comments powered by Disqus